Security Now 377
Topic: Question and Answer
Recorded: November 7, 2012
Security Now 377: Your Questions, Steve's Answers #154
- Adobe is finally keeping to their quarterly schedule. The latest update was November 6th, including security fixes for Flash and AIR. Check your current version of Flash and view the latest version numbers across all platforms at http://www.adobe.com/software/flash/about. Chrome browser updates Flash on its own. Chrome 23 will include the latest version.
- Firefox has included their "Click to Play" feature in the beta releases. This functionality prevents vulnerable plugins from running without the user's permission.
- The newest Firefox Beta uses HTTP Strict Transport Security (HSTS) to increase security. It now preloads a list of common domains that will force strict transport security. The list is based on a data file provided by the Chromium project. Strict transport security was discussed in detail in Security Now #262
- Chrome 23 will add support for the Do Not Track header. It will also enable GPU accelerated video which has been shown to increase battery life by 25%. The release will also include per-site security permission controls, similar to NotScript.
- ARQ Cloud Backup now supports Amazon Glacier, a newer low-cost, long term storage offering. ARQ Cloud Backup is a Mac-only, "Trust No One" backup solution that uses cryptography and Amazon Web Services. The software authors are HaystackSoftware.com.
- @Captn_Caveman told Steve about PortQry, a command-line port scanner for Windows. It's an older tool but it works with current versions of Windows.
- Jonathan Schiefer (@jschiefer) contacted Steve about the Kickstarter campaign for his movie about computer hackers. Learn more at TheRootKit.com.
David G. Speigner in Marlborough, Connecticut
Questions & Answers
Question [ 01 ] - Sean O'Brien in Texas
@SGgrc, please don't say it's hard to factor large primes. It's impossible to factor any prime.
Steve: "It's not impossible to factor a prime. It's trivially easy. ... What I mean to say is that it's hard to factor the product of large primes."
Question [ 02 ] - Andrew in Arizona wonders about decrypting files
Steve, I have a question about cracking an encrypted file or block of text. I understand how it's possible to use a dictionary attack to figure out a string of text, for example a password, that has been hashed. Hash the text. If the hashes match, viola [sic]. But I am wondering how the process works for encrypted files. Where would you start, and how would you know when you've guessed the right key?
Assuming that you know all of the details of the encryption method except the key, there are two ways to brute force encrypted data. Some decryption modes include an authentication method that you could check against. When applying the test key to the beginning of a file to which you know the format, you can look for the data you expect to see. For example, if you're decrypting a TrueCrypt file then look for a valid TrueCrypt file header as part of the result.
Hey, Steve. I use Outlook Express always set to open email in plaintext. However, if I see something that looks odd, I point to the unread email, click and drag onto the desktop, where it becomes a little .eml envelope. I then open Notepad and drag the envelope onto the Notepad window. There I can see the headers and read in plain text, just in case someone has a clever zero-day Outlook hack.
This is a great tip, using tools that many people have handy. You might also use a hex editor to examine the file without opening it.
Something I noticed when logging into a site using OAuth to authenticate with Twitter was that, when my browser jumped to Twitter, LastPass recognized the site and auto-filled my login details. Since LastPass would not auto-fill on a domain that looks like Twitter but is not Twitter, wouldn't this be a way to protect yourself from spoofing?
Yes. Steve predicts that people will be accustomed to using OAuth which will result in an increase of OAuth spoofing. People won't remember to look at the URL before entering their information.
Question [ 05 ] - [Ricardo] J., Toronto, Ontario, Canada wonders about hardware made in China
I have been listening to your podcast for about two years now. And while I don't necessarily understand the propeller hat episodes, I do learn a lot from the show. I own SpinRite; and, though I have not had to use it for a catastrophic HD failure, it did fix a mysterious random slowness issue with my mother's laptop.
With the recent congressional warnings about Chinese telecoms being allowed to enter the U.S. and possibly spy on the communications they are helping to deliver, has anyone given thought to the hardware made in China? Even if Chinese companies are kept out, I would have to guess that most of the hardware that is used is either entirely or some part is made in China. Do companies that sell networking equipment tear down random samples of retail products to see if the components have been modified? For that matter, does a consumer electronics company like Apple perform tests like this? I would think that putting compromised equipment into your network would be just as bad as allowing a person to walk in off the street and sit at a terminal.
Little mistakes have already happened in the form of infected flash drives. If China or any country wanted to export compromised goods to the U.S., it would be hard to catch. Steve suggests that there's nothing to do except not worry about it.
Security experts have come to the conclusion that monitoring is the only way: actively watching traffic and asking questions.
Question [ 06 ] - John Lockman in Ottawa says that UPEK's security cannot be fixed
The entire problem with the UPEK model of using the fingerprint as a sole authentication factor is that Windows requires the password for other purposes, encrypted files on NTFS, for example, and thus they must store the password in some way. Even if they used the most secure algorithm in the most secure way, the password must, at some point, be decrypted into plaintext before it can be used to tell Windows to log in as a specific user.
AuthenTec can increase the security all they want, but anyone who reverse-engineers the encryption on the password will be able to decrypt the password simply by definition.
The only reasonable approach is to only use fingerprints as a second factor for authentication, the "something you have," obviously, because you've got it with you.
Steve agrees in principle and agrees that it only makes sense to use a fingerprint as a second factor. Two approaches fix this problem:
- Using the "Trusted Platform Module" (discussed in Security Now #99) which will not export the fingerprint data that it contains.
- Use features of the user's fingerprint. This is difficult because certain details might vary (oil, etc.) and decrease reliability.
Question [ 07 ] - Jeroen van den Berg in Waddinxveen, near Gouda, The Netherlands, says, "Steve and Leo, you guys are criminals."
I was just listening to Episode 375 at which you talk about having removed DRM from a Kindle book that you owned, and that there are tools available to do so. That sir, as crazy as it sounds, is illegal.
I was shocked, shocked to hear that you did not know this, as legitimately as you may feel about it. According to Section 103 of the DMCA, "No person shall circumvent a technological measure that effectively controls access to a work protected under this title."
The Act also prohibits the distribution of tools that enable a user to circumvent access controls or controls that protect a right of copyright holder. And you cannot claim that it's "fair use" because the DMCA does not contain any explicit exception. That's what got the DeCSS guys in trouble.
Just wanted to point that out. Personally I'm against any form of DRM on any media because it prevents making a backup, lending, or selling something you legally own. So if you want a DRM-free eBook, pirate it. Better not to pay and be a criminal than pay and still be a criminal.
Steve did not intend to imply that he didn't know it was illegal. He wanted to see if it worked, but knew it was a breach of the DMCA. It isn't against his personal ethics: he doesn't intend to distribute the content and doesn't believe his actions were part of what the DMCA was designed to prevent.
Tom points out that the Library of Congress provides exemptions in certain cases, such as unlocking mobile phones, unlocking ebooks for use with screen readers for the visually impaired, and more. He also mentions that more ebook publishers such as Bain Books (publisher of Honor Harrington series) and Tor are distributing DRM-free ebooks.
Question [ 08 ] - Dave Kodama in Cerritos, California also comments on Amazon books and DRM
Steve, Amazon's DRM has always bothered me. So when I found out that O'Reilly books come DRM-free and include multiple formats such as PDF, I have made an effort to always purchase the books directly from O'Reilly. I have noticed that they often a little more than the same book on Amazon, but I try and support O'Reilly's business decision by voting with my wallet. Perhaps some of your listeners may be unaware of that option. For the most part, I buy only "throwaway" books from Amazon. If Amazon disappeared, I would not be happy, as I like doing business with them, but I won't be losing anything I really want to keep around. SpinRite user since version 3, or maybe 2.
Steve agrees and follows the same policy with O'Reilly books. They make their publications available in a wide array of formats.
Tom mentions that there might be a DRM-free option when purchasing some Kindle books.
Question [ 09 ] - Christopher Ursich in Lyndhurst, Ohio comments on OAuth with Facebook and Google, suggesting that we just look for HTTPS
In the past two shows you've discussed the problem with OAuth where the user is tricked into entering their credentials into a phony Facebook or Google authentication page. I think it's worth mentioning or reminding people that this situation is no different than entering credentials on any web page. You simply need to look for HTTPS, and that the domain listed is what you expect. This is always my careful practice. What burns my butt is how some sites will try to make the authentication window pretty by eliminating the address bar. In those cases, I just don't proceed. I find another way to log in, or I just decide that I don't need whatever the site is offering. Displaying the HTTPS and domain should be part of the OAuth spec. Fortunately, sites that use Mozilla BrowserID don't seem to misbehave this way.
Thanks so much to you and Leo for Security Now. Your coverage always prompts me to dig even deeper into the topics on my own. Listener since The Onion Router Episode 70, SpinRite owner, and aspiring ketosis-izer.
While Chris' approach makes sense, there is no way that most people will know to look for HTTPS, the green bar, the correct domain, etc. Convenience and security are colliding.
Question [ 10 ] - Blake Waud in Troy, Michigan does suggest an OAuth spoofing solution using security pictures and phrases
Hey, Steve. Started listening just before Christmas of last year and have fallen in love with this podcast, bought SpinRite, et cetera, et cetera, blah blah blah, as Leo would say.
I was listening to Listener Feedback #153 and the discussion about OAuth. The problem you were having was how do we ensure the users can authenticate Facebook's page so they know they are entering their credentials into the right site and not a spoofed OAuth Facebook portal. Well, I am an IT Auditor in the financial institution sector and instantly knew of an answer that is a natural progression from the idea that we use pictures of our Facebook friends: a predetermined security picture and security phrase.
Almost every financial institution I audit now has this simple security feature installed as part of the initial online banking setup phase, where the user selects their image and writes up their own unique phrase to go along with it. In the case of OAuth, the real Facebook page would be able to display the image you selected when you set up your security settings in Facebook, since you would have navigated to Facebook yourself to set up the images before Facebook would allow OAuth to work. But the important part is that the bad guys wouldn't know what the security image or phrase you chose was and wouldn't be able to display it to you.
The only problem I can see is that it might be possible for the bad guys to scrape the image or phrase off of Facebook's actual login page, if they know the email you used for Facebook, and then be able to display it to you as part of a spoofed site. But I would imagine that attack might be more complicated and only be part of a spear phishing attack. Can you think of a solution to that point, since such a vulnerability would exist for financial institutions as well, and the only protection being a somewhat hard to guess username.
The spoofing site could still act as a man-in-the-middle attack, relaying your OAuth request to the actual site and relaying the response back to you. Now we have "proof" that we're in the right place even though it's actually been stolen. There isn't a way around this.
- Edited by:
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|